On Jul 3, 2014, at 12:46 PM, Hans-Christoph Steiner <[email protected]> wrote: > > SSH uses entirely unsigned keys, and it has proven a lot more reliable than > HTTPS/TLS. You use HTTPS/TLS keys the same way as SSH, but TLS requires > signed keys, self-signed works. The signatures are only worth the trust path > behind them, and CAs have not proven to be reliable trust paths. So if you > can't rely on the signatures, why bother using them? This is not just my > opinion, but of many others. Google uses SPKI pinning heavily, for example, > but they still use CA-signed certificates so their HTTPS works with Firefox, > IE, Opera, etc. >
SSH is hand verified when you connect initially (thus creating a “signature”). Are you are going to hand-verify each signature / key? And then against what? Why not just verify the CD download once and be done with it? If you are paranoid, build a trust relationship with a mirror that provides SSL and save their cert. Anyway, I’m really over this. Have a good day. -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: https://lists.debian.org/[email protected]
